Implement zero trust security and networking

In traditional infrastructure, security focused on securing the network perimeter using firewalls, VPNs, and other network security tools.

Securing modern infrastructure requires a new approach to security. While most of the security principles and tools are still utilized, how you implement a strong security program has changed.

In the secure infrastructure series, you will learn about the importance of shifting your security focus to identities, instead of the traditional network perimeter. You will also see the importance of incorporating security into your organization's culture, enabling security automation to improve efficiency and reduce human error. You will then review how you should manage ingress and egress (north-south) traffic and prevent lateral movement to stop unauthorized access and data exfiltration.

In the secure infrastructure section, you will learn how to adapt your security program to support modern infrastructure using identities and automation to establish a zero trust architecture.

What is a zero trust network architecture?

Zero trust security is a security model that eliminates the concept of trusted networks and requires verification for every user, device, and application attempting to access resources. Unlike traditional perimeter-based security, which assumes everything inside the network is safe, zero-trust security operates on the principle of "never trust, always verify."

In the following video, HashiCorp co-founder Armon Dadgar discusses the zero trust security model and how it can protect your organization.

Throughout this series, you will see how HashiCorp tools work together, so you can create a strong security model following zero trust principles across your infrastructure.

1. Terraform manages infrastructure changes:

   • Engineers modify infrastructure through code review.
   • CI/CD systems use Vault-generated cloud credentials.
   • No human has direct cloud console access.

2. Vault manages secrets and identities:

   • Manages static and dynamic secrets.
   • Creates a trusted identity platform to authenticate and authorize users and devices.
   • Issues just-in-time credentials for infrastructure access.
   • Manages certificates for both PKI and certificate-based authentication.

3. Boundary and Vault provide access to infrastructure:

   • Support teams access infrastructure through Boundary.
   • Vault provides just-in-time credentials for each session.
   • All access is temporary, audited, and automatically expires.

4. Consul enables network security:

   • API gateways and terminating gateways manage north-south traffic with identity-based policies.
   • Service mesh provides automatic mTLS encryption and service-to-service authorization.
   • Service intentions define which services can communicate, providing micro-segmentation that blocks unauthorized lateral movement.

5. Waypoint allows developer self-service:

   • Developers deploy through standardized workflows without infrastructure access.
   • Platform teams define secure deployment patterns that developers automatically follow.
   • Reduces the number of people requiring direct infrastructure permissions.

Combining these tools creates a strong foundation for a zero-trust model where access to infrastructure is both secure and auditable without sacrificing operational efficiency.

Other services to complete your zero trust architecture include:

• Identity providers - Centralized identity and access management systems (Okta, Azure AD, Ping Identity) that integrate with Vault to provide SSO and MFA capabilities.
• SIEM solutions - Security Information and Event Management (SIEM) solutions (Splunk, ELK Stack, Grafana) that collect and analyze logs from Vault, Boundary, Consul, and other systems to provide real-time monitoring and alerting.
• Endpoint security solutions - Tools that ensure devices accessing the network meets security standards, such as antivirus software, firewalls, and endpoint detection and response (EDR) solutions.

HashiCorp resources:

• Get started with Boundary
• Get started with Consul
• Get started with Terraform
• Get started with Vault
• Get started with Waypoint

External resources:

• The Evolution of Zero Trust and the Frameworks that Guide It
• NIST Zero Trust Architecture

Next steps

In this section of how to Secure infrastructure, you learned about the tools and workflows needed to implement a zero trust security model. Integrating HashiCorp tools into your infrastructure and network architecture enables auditable infrastructure changes, secure access to infrastructure following the principle of least privilege, and properly managed secrets. Implement zero trust security and networking is part of the Secure systems pillar.

Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation for your organization's security program.

• Implement zero trust security and networking (this document)
• How to secure cloud infrastructure with identity-based access control
• Build a culture of security automation
• Secure network traffic with ingress and egress
• Secure human access to infrastructure
• Prevent lateral movement